Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jun 27, 2017 4:43 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Tue Dec 13, 2016 11:42 pm 
Offline

Joined: Tue Dec 13, 2016 9:42 pm
Posts: 1
Hi there,

I have a serious hard time getting my Yubikey run as an auth device on my Win10 boxes. I setup everything in the PKI as it should, loaded the user key in the Yubikey and every logon (Win2012R2/Win8/Win7) works unless doing it from Win10.
I can really sort things out like drivers because logging in from Win10 with RDP to any other device per smartcard works flawlessly.

The only message, I am getting on the Win10 (x64, patched up to date), when signing in per Yubikey is: "Your smart card could not be used. Please contact.. blah"
Eventviewer logs an error ONCE the device boots up in the app-events: Source: Smart Card Logon, Eventi-ID 7: Error signing a message with the plugged in smart card. An unexpected error has happened.

This happens on two independent machines.

I am lost now. Google seems not to find anything.

Please help!

Greetings!

Don


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 14, 2016 8:47 pm 
Offline

Joined: Fri Dec 02, 2016 7:54 pm
Posts: 6
Donald,

Sorry that you are having trouble with getting PIV to work on Win10. I am running a PIV Win10 environment without those issues. Looking through the forums I appears you are not the only one having the issue. One poster even said Yubico support is aware of a Microsoft issue that is causing this. I wish they would post and bring some light to this situation, or assist in figuring out why some are working fine and others aren't. Let me know if there is anything I can check in my environment to assist you.

Danny


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 09, 2017 2:35 am 
Offline

Joined: Mon Jan 09, 2017 2:00 am
Posts: 3
Danny, et all.

I have the same issue as Donald reports. (i.e 'instant fail'). Error code 7 and Warning 623.

Devices that fail are all Win10 Enterprise (x64), Version 1607, OS Build 14394.576. Fails (ethernet) network attached (same switch, vlan and subnet as the servers) , DirectAccess and (since no cache) offline.

Works ok on Server 2012 R2 / Server 2016, console and RDP.

YubiKey 4 set up and deployed as per the pdfs. Was enrolled using PIV manager (user self service) on the same machine.

The DC / CA Servers sit on W2012 R2, fully patched.

Things I plan to try this week:
Test against other keys the PIV Manger can generate
Test on earlier W10 builds (1511 and the original edition, 1507?) - not that I can roll back the production network but at least it helps isolate.
Test on W8 and or 8.1 machines

Any thoughts or hints are welcome.
thanks,
David


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 13, 2017 9:49 am 
Offline

Joined: Mon Jan 09, 2017 2:00 am
Posts: 3
Further to my last, no further on.

Changing the key type (within the confines of the minimum key size as described by the template) has no effect.
Test on an first install and fully patched W10 1511 machine does not allow logins or unlocks
W8.1 works as expected
Unlocking a W2012 R2 Server or W2016 server fails over RDP, login works.

All errors from the above are still Error 7.

Whilst this may not be Yubikey's fault (they have no way to control changes Microsoft make) my immediate concern is the lack of comment. PIV/ Smartcard unlock is an advertised feature and whilst there are a number of moving parts (certificates etc etc) I am not seeing these errors with another test smart-card solution.

Two reasons I am still investigating this
a) the USB form factor is better, given our users are all supplied with laptops
b) Others have reported they have a working set up.

Out of ideas.
David


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 26, 2017 8:23 pm 
Offline

Joined: Thu Jan 26, 2017 11:45 am
Posts: 4
Yeah, have the same issues myself. Error Event ID 7.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 27, 2017 12:22 pm 
Offline

Joined: Thu Jan 26, 2017 11:45 am
Posts: 4
This is now working in Windows 10 build 15002 and later. Confirmed with a Yubikey 4.

My findings with Windows 10 builds;
14393 (1607 stable):Not working , error 7
14986 (Insider Preview Slow ring):Not working, error 7
15002(Insider Preview Fast ring):Working!!


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 17, 2017 3:53 pm 
Offline

Joined: Mon Jan 09, 2017 2:00 am
Posts: 3
Now confirmed working on Anniversary Update, fully patched (14393) as of today with a Microsoft HotPatch - KB3216755

As per the Yubikey quote from The Register article here:

http://www.theregister.co.uk/2017/02/16/win10_anniversary_borks_smartcards/

Yubico "We have confirmation from Microsoft that a hotfix has been released on the Windows Update Catalog that should solve the Windows 10 smart card login issue with the YubiKey. We do not have a timeframe when this will be available as an automatic Windows Update but it is available for a manual download and installation. We’ve done testing in our lab environment and found this has indeed solved the issue."

Link to the patch on Microsoft's catalogue is about halfway down the Registers article.

David


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group